CVE-2025-14881 — pretix has Broken Access Control Allowing Cross-User File Access via UUID

Description

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

How to fix CVE-2025-14881

To remediate CVE-2025-14881, upgrade the affected package to a fixed version below.

PyPI/pretix—upgrade to 2025.10.1 or later

Is CVE-2025-14881 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2025.10.0, < 2025.10.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-14881
PATCHgithub.com/pretix/pretix
WEBgithub.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a
WEBpretix.eu/about/en/blog/20251219-release-2025-10-1